How can I block AS/400 users to modify data using WinSQL from the PC?
Already I have some users that have insalled into their PCs iSeries Access and WinSQL, they run WinSQL that uses an ODBC to change data using SQL sentences.
*** WinSQL is universal database management tool that can be used with any relational database to run SQL queries.

Answer Wiki

I think you should be able to modify their user ids and limit what they can do. Check into object authority, group authority.
/////////////////////////////////////////////////////////////

The data files should be limited to *public view
and your rpgle/cobol programs should use owner authority
with the “owner” having full data authroity to the data.

Good luck

Phil

If you have the users using their green screen access to run the programs and then they use that same access to use the data vis ODBC, there is little that can be done except to take away their update/write capability and front end their application menu with an adopted authority that gives the users via green screen the access they need. Then they would not have anything but read only access.

You will also have to front end any jobs that submit their requests to batch as the adopt authority does not follow along but a routing program that calls a program just to adopt a profile with the same authority as the inital call program menu will work just fine.

This can be a lot of work and testing to get this functionality working but well worth it to the company and the auditors 🙂

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your response...

Discuss This Question: 5 &nbspReplies

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

You can limit or deny a user’s authority to ODBC by using an exit program. Here are a few examples to help you get started:
http://www.google.com/search?hl=en&q=odbc+exit+programs&aq=f&oq=
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaik/rzaikodbcexitprog.htm
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaik/rzaikodbcexitprog.htm
http://www.itjungle.com/fhg/fhg112906-story02.html

Using Operations/ISERIES Navigator, you can use the Application Administration to customize ODBC access. Also FTP and Excel addin's. Ity is a very useful tool if you do not want to get into exit point programming.

I'm not employed by NetIQ, but have spent much of the last five yrs. helping companies pass SOX and PCI audits with the product. The exit points are there, and you can exclude all ODBC or DRDA SQL access, then grant it to an individual user profile BY OBJECT, and restrict them from updating other files through remote SQL, even if they have update authority.
If your iSeries is going to keep up with the client server/database world, you have to be able to allow but control SQL access to the iSeries database.
A really GOOD programmer can write the exit programs to do this, but I've seen more than a few pgmrs fail to have the exit pgms ever work correctly all the time.

One of the best protection software packages I have seen for locking down FTP, ODBC and other external intrusions into the iSeries is a package called Network Security from POWERTECH. The product is also known as Powerlock and gives you full control over several layers of access for each process that you want to control.
It is pretty easy to enroll by just monitoring the system over a month or so and then transferring the information to a lock down situation for that user.
Lovemyi

Using Operations/ISERIES Navigator, you can use the Application Administration to customize ODBC access.
Be aware that this is intended only for the iSeries Access ODBC driver. A different vendor's driver is not obligated to obey the restrictions. (Some won't even know it exists.)
Tom

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

Ask a Question

Free Guide: Managing storage for virtual environments

Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!

To follow this tag...

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy